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Abstract 



This paper deals with the evaluation of trust in a network of public- 
key infrastructures. We consider the PGP web of trust or the network 
I I of cross-certificates of trust anchors for website authentication. Different 

Ph trust models have been proposed to interconnect the various PKI com- 

r J ponents in order to propagate the trust between them. In this paper we 

• provide a simple model for trust and reputation management in PKI ar- 

rj chitectures, and a new polynomial algorithm using linear algebra to assess 

I ' trust relationships in a network using different trust evaluation schemes. 



^ 1 Introduction 

00 

QQ The principle of a Public Keys Infrastructure (PKI) is to establish (using cer- 

,-H tificates) a trust environment between network entities and thus guaranty some 

I — I security of communications. 

(•~^ For example in a cross-certification PKI, an entity called Alice can establish 

T-H a communication with another entity called Bob only after validating Bob's cer- 

^"^ tificate. For this, Alice must verify the existence of a certification path between 

^ her trust anchor and Bob's certification authority (CA). This certificate vali- 

dation policy imposes that each entity must have a complete trust in its trust 
anchors, and that this trust anchor has a direct or indirect relation with other 
C^ CAs. 

In fact, several risks exist in the current trust models if the trust anchors are 
not validated out-of-band by their users. Ellison and Schncier identified a risk 
of PKIs to be "Who do we trust, and for what?" which emphasizes the doubts 
about the trust relationship between the different PKI components [5i. Several 
incidents, including the one in which VeriSign issued to an fraudulent two cer- 
tificates associated with Microsoft [5], or even the recent fraudulent certificates 
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for Google emitted by DigiNotar [T] , confirms that a global evaluation of trust 
for the trust anchors might be a solution to assess a respective global degree of 
trust. In e.g. 

[51 [71 IB] algorithms are proposed to quantify the trust relationship between 
two entities in a network, using transitivity. Some of them evaluate trust 
throughout a single path, while others consider more than one path to give 
a better approximation of trust between entities. However to the best of our 
knowledge they are restricted to simple network trees. Another approach would 
be to use some fully trusted keys or authorities, like the Sovereign Keys or the 
Convergence project^ 

In this paper we choose the first approach and use transitivity to approximate 
global levels of trust, cfhcicntly. Our idea is to use the powers of the incidence 
matrix (used e.g. to verify the graph connexity or to compute the number of 
[bounded] paths between nodes). The approach is similar to that used also e.g. 
for community detection in graphs [1] and we use it to produce a centralized 
or distributed quantification of trust in a network. The complexity of this 
algorithm is 0{n^ ■ (p ■ £) in the worst case, polynomial in n, the number of 
entities (nodes of the graph), f, the number of trust relationships (edges), and 
i, the size of the longest path between entities. For instance the algorithm 
proposed in [7] worked only for directed acyclic graphs (DAG) and required the 
approximate resolution of the Bounded Disjoint Paths problem, known to be 
NP-Hard [12 . In case of DAGs the complexity of our algorithm even reduces 
to 0{n-(p-e). 

The aim of our algorithm is the evaluation of trust using all existing (bounded) 
trust paths between entities as a preliminary to any exchanges between PKIs. 
This can give a precise evaluation of trust, and optimize the certificate valida- 
tion time. The algorithm can also be adapted (under condition) to different 
trust metrics. 

We present different our chosen trust metric in section [2J and our algorithm 
in section [3| Then, we show that trust and reputation are complementary and 
propose a simple model for the trust management in PKI architectures, using 
both notions (trust & reputation). 

2 Transitive trust metric 

There are several schemes for evaluating the (transitive) trust in a network. 
Some presents the trust degree as a single value representing the probability 
that the expected action will happen. 

Others include the distrust degree indicating the probability that the op- 
posite of the expected action will happen [6]. More complete schemes can be 
introduced to evaluate trust: J0sang [3] for instance introduced the Subjective 
Logic notion which expresses subjective beliefs about the truth of propositions 
with degrees of " uncertainty" . 
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[3 IH] also introduced a quite similar scheme with a formal, semantics based, 
calculus of trust and applied it to public key infrastructures (PKI). In the next 
sections, we adopt the latter trust evaluation scheme: the idea is to represent 
trust by a triplet, (trust, distrust, uncertainty). Trust is the proportion of expe- 
riences proved, or believed, positive. Distrust is the proportion of experiences 
proved negative. Uncertainty is the proportion of experiences with unknown 
character. 

Definition 1. Let d be a trustor entity and e a trustee. Let m be the total 
number of encounters between d and e regarding an instanced expectancy in 
a given context. Let n (resp. I) be the number of positive (resp. negative) 
experiences among all encounters between d and e. 

• The trust degree is defined as the frequency rate of the trustor's positive 
experience among all encounters with the trustee. That is, td{d, e) — — . 

• The distrust degree; similarly we have dtd{d,e) = — . 

• The uncertainty; denoted by ud is defined by: ud = 1 — td ~ dtd. 

In the following we will denote the trust relationship by tr[a, b) —< td{a, b), 
dtd{a,b), ud{a,b) > or simply tr{a,b) =< td{a,b),dtd{a,b) > since the uncer- 
tainty depends directly of the trust and distrust degrees. 

In these definitions, the trust depends on the kind of expectancy, the context 
of the experiences, type of trust (trust in belief, trust in performance), ..., see 
e.g. [8]. For simplicity, we only consider in the next sections the above generic 
concept of trust. 

2.1 Aggregation of trust 

The main property we would like to express is transitivity. Indeed in that case 
keys trusted by many entities, themselves highly trusted, will induce a larger 
confidence. In the following we will consider a trust graph representing the trust 
relationships as triplets between entities in a network. 

Definition 2. (Trust graph) Let T C K'^ be a set of trust values. Let V be a 
set of entities of a trust network. Let E be a set of directed edges with weight in 
T. Then G — (V, E, T) is called a trust graph and there is an edge between two 
vertices whenever there exist a nonzero trust relationship between its entities. 

Next we define the transitivity over a path between entities and using parallel 
path between them as sequential and parallel aggregations. We first need to 
define a trust path: 

Definition 3. (Trust path) Let G = {V,E,T) be a trust graph. A trust 
path between two entities Ti Cz V and Tn (z V is represented as the chain, 
Ti — > T2 — > ...T„_i -^ Tn, where Ti are entities in V and Vi £ T are 
respectively the trust degrees associated to each trust relation [T^ — ^ 2^i+i) G E . 



The need of the sequential aggregation is shown by the following example. 
Consider, as shown on figure [l} Alice trusting Bob with a certain degree, and 
Bob trusting Charlie with a certain trust degree. Now, if Alice wishes to com- 
municate with Charlie, how can she evaluate her trust degree toward Charlie? 
For this, we use the sequential aggregation of trust to help Alice to make a 
decision, and that based on Bob's opinion about Charlie. 

— > : Direct trust relashionship 

— ^-.^ — ,;r — ---> : Indirect (sequentially aggregated) trust relash- 
ionship 

Figure 1: Simple sequential trust aggregation 

Definition 4. (Sequential aggregation of trust) Let G = (V, E, T) be a 

trust graph. Let a,b and c he three entities in V and tr{a, b) G T, tr{b, c) Cz T be 
respectively the trust degrees associated to the entity pairs {a,b) and (6, c). The 
sequential aggregation of trust between a and c is a function f , that calculates 
the trust degree over the trust path a ^f b ^f c. It is defined by : 

f :T y-T -^ T with f{tr{a, b), tr{b, c)) = trf{a, c) —< tdf(a, c),dtdf{a, c) > 

where tdf{a,c) = td{a,b).td{b,c) + dtd{a,b).dtd{b,c) 

dtdf{a, c) = dtd{a, b).td{b, c) + td{a, b).dtd{b, c) 

This definition of / the sequential aggregation function is given by [3 The- 
orem UT-1]. This sequential aggregation function can be applied recursively to 
any tuple of values of T, to evaluate the sequential aggregation of trust over any 
trust path with any length > 2 as follows: /(wi, ..., w„) = /(/(wi, ..., w„_i),t'ri). 

Now, the following definition of the parallel aggregation function can also be 
found in [8, § 7.2.2] and is illustrated on figure [2J 

Definition 5. (Parallel aggregation of trust) Let G — (V, E, T) be a trust 
graph. Let a, 6i, . . . , 6„, and c be entities in V and and tri{a, c) di T be the trust 
degree over the trust path a ^ bi ^f c for all i £ l..n. The parallel aggregation 
of trust is a function g, that calculates the trust degree associated to a set of 
disjoint trust paths connecting the entity a to the entity c. it is defined by 

g : T" — > T with g{[tri,tr2, . . . ,ir„](a,c)) = trg{a,c) =< tdg{a, c) , dtdg{a, c) > 
where tdg{a,c) = 1 — II (1 — tdi) and dtdg{a,c) — I I dtdj 

2— l..n i—l..n 

Definition 6. (Trust evaluation) Let G{V,E,T) be a directed acyclic trust 
graph, and let a and b be two nodes in V . The trust evaluation between a and b is 
the trust aggregation over all paths connecting a to b. It is computed recursively 
by aggregating (evaluating) the trust between the entity a and the predecessors 
of b (except, potentially, a). Denote by Pred{b) the predecessors of b and by pi 




— > : Direct trust relashionship 

---> : Indirect (parallely aggregated) trust relashion- 
ship 



Figure 2: Parallel aggregation of trust for multiple trust 

the elements of Pred{b) \ {a}. The trust evaluation between a and b consists in 
applying first the sequential aggregation over the paths a ~^ pi -^ b and then the 
parallel aggregation to the results and (a — > b) (if (a — )■ 6) € E). 

The graph theoretic method proposed by [71 §6.3] for evaluating trust be- 
tween two nodes in a DAG requires the approximate solution of the Bounded 
Disjoint Paths problem, known to be NP-Hard 12]. We propose in algorithm IT] 
to remove the search for disjoint paths and then we obtain a polynomial time 
algorithm. 

Algorithm 1 Recursive trust evaluation 

Input G = {V,E,T) a direct acyclic trust graph, A, Z two nodes of G. 

Output Trust between A and Z 

1: calculate iV = Pred{Z) \ {A}; 

2: For all rii 7^ A in N aggregate(A, Ui, G); 

3: use parallel aggregation to aggregate all paths from A to Z; 

By storing the already evaluated relationships, this algorithm can e.g. com- 
pute the global trust in a graph with 1000 vertices and 250 252 edges in less 
than 58 seconds on a standard laptop. In the following, we propose to rewrite 
this algorithm in terms of linear algebra. Using sparse linear algebra the overall 
complexity will not change, and the analysis will be eased. Now if the graph 
is close to complete, the trust matrix will be close to dense and cache aware 
linear algebra algorithms will be more suited. Moreover, the linear algorithm 
will decompose the evaluation into converging iterations which could be stopped 
before exact convergence in order to get a good approximation faster. Then we 
will also deduce from this point of view a generalization to any directed graph. 

3 Matrix Powers algorithm 

In this section, we propose a new algorithm for evaluating trust in a network 
using the powers of the matrix of trust. This algorithm uses techniques from 
graph connexity 

and communicability in networks [1]. 

Our matrix powers algorithm can be implemented with different trust prop- 
agation schemes under one necessary condition: the transitivity property of the 
(sequential & parallel) trust propagation formulas. For the sake of simplicity, 
we adopt in the following the trust notions and the formulas of [8] . 



3.1 Matrix and monoids of trust 

Definition 7. Let G — {V,E,T) be a trust graph, the matrix of trust ofG, de- 
noted by C, is the incidence matrix containing, for each node of the graph , G the 
trust degrees of a node toward its neighbors, Cij =< td{i, j) , dtd{i, j) , ud{i, j) >. 
When there is no edge between i and j, we choose Cij =< 0, 0, 1 > and, since 
every entity is fully confident in itself, we also choose for all i: Cu =< 1, 0, > . 

Definition 8. Let T be the set T — {< x,y,z >e [0,1]'^, x + y + z = 1}, 
equipped with two operations "+" and ". " such that V < a,b,u >, < c,d,v >G T 
we have: < a,b,u > . < c,d,v >—< ac + bd, ad + bc,l — ac — ad—bd — bc>, and 
< a,b,u> + < c,d,v >=< l-{l-a){l-c),bd, (l-a)(l-c)-6d >. We define 
as the monoids of trust the monoids (T, +, < 0, 1, >) and (T, ., < 1, 0, >). 

< 0, 0, 1 > is the absorbing element of " ." in T. This justifies a posteriori 
our choice of representation for the absence of an edge between two nodes in 
definition [3 

We can also see that the set T corresponds to trust degrees < td, dtd, ud >. 
In addition, the operations " ." and "+" represent respectively the sequential and 
parallel aggregations of trust, denoted / and g in definitions |4] and [5| Finally, 
note that "." is not distributive over "+". 

3.2 (i-aggregation of trust 

Definition 9. (d- aggregation of trust) For d € N, the d-aggregation of trust 
between two nodes A and B , in an acyclic trust graph, is the trust evaluation 
over all paths of length at most d, connecting A to B . It is denoted d-aggj^ g. 

Definition 10. (Trust vectors product) Consider the directed trust graph 
G — {V,E,T) with trust matrix C. Let Ci^ be the i-th row vector and C^j be 
the j-th column vector. We define the product of Ci^ by C^j in the set T to be: 

Ci*.G*j = / ^ Cik-Ckj 
kev 

Note that Cu = Cjj =< 1,0,0 > is the neutral element for ".". Therefore, 
our definition differs from the classical dot product as we have removed one of 
the Cij = Cu ■ Cij = Cij ■ Cjj , but then it matches the 2-aggregation: 

Lemma 1. The product Ci^,.C^j is the 2-aggregated trust between i and j. 

Proof. We prove first that Cik-Ckj is the sequential aggregation of trust between 
i and j throughout all the paths (of length< 2) i —>■ k —>■ j with k ^ V. Let k be 
an entity in the network there are two cases: whether k is one of the boundaries 
of the path or not. The first case is: k = i or k = j: 

• ii k = i, then from the trust matrix definition IT] Cu —< 1, 0, > Vi, thus 
we have Cik-Ckj = Cu-Cij =< 1,0,0 > .C^j = Cij. 



• ii k = j, then similarly Cik-Ckj = Cij-Cjj = Cij. < 1, 0, >= Cij 

Therefore Cik-Ckj corresponds to the [ sequential aggregation of] trust between 
i and j throughout the path (i, j) of length 1. This is why in the product, we 
added the constraint k ^ j in the sum to avoid taking Cij twice into account. 
Now the second case is: k ^ i and k ^ j: 

• if fc belongs to a path of length 2 connecting i to j, then: i trusts k with 
degree Cik ^< 0,0,1 >, and k trusts j with degree Ckj ^< 0,0,1 >. 
From definition HI Cik-Ckj corresponds to the sequential aggregation of 
trust between i and i throughout the path i ^^ k ^f j. 

• If there is no path of length 2 between i and j containing k, then we have 
Cik =< 0,0,1 > or Ckj =< 0,0,1 >, and thus Ctk-Ckj =< 0,0,1 > is 
also the aggregation of trust between i and j on the path traversing the 
node fc. 

Finally, we can deduce that Ci^-C^j = X^feey ^ik-Ckj corresponds to the parallel 
aggregation of trust between i and j using all paths of length < 2, which is 
the 2-aggregated trust between i and j- Note that the latter is equivalent to 

Ci^-C^j = '}2kePred.{j)\{i} Cik-Ck] + Cij- n 

Definition 11. (Trust matrix product) Let C(ij^ and M(^ij-^ he two trust 
matrices. We define the matrix product N = C * M by: \fi,j e {l..n} 

1 < 1, 0, > otherwise 

Lemma 2. Let (Cij) be the trust matrix of a network of entities, whose elements 
belong to a trust graph C. The matrix M defined by: M = C'^ = C*C represents 
the 2-aggregated trust between all entities pairs. 



Proof We have: Vz, j € {l-n} M,, - i ^"■^*' " ^'^e^ ^''^•^"^' '^ ' ^ ^ . 

I < 1, 0, > otherwise 

If I = j: then Ma =< 1,0,0 > denotes that i has a total trust on itself. 

Otherwise, if i ^ j: according to lemma fl| Mij the 2-aggregated trust between 

i and j. D 

Now, according to definition [6] of the trust evaluation in a network, we can 
generalize lemma |2] to evaluate trust using all paths of a given length: 

Theorem 1. Let G = {V, E, T) he an acyclic trust graph with matrix of trust C . 
Then C^ represents the d-aggregated trust between all entity pairs in V . 

Proof. We proceed by induction. Let HR{d) be the hypothesis that C^ rep- 
resents the d-aggregated trust between all entity pairs in V. Then HR[2) is 



true from lemma [2] Now let us suppose that HRjd) is true. First if i =j, then 
{d+ l)-aggj j =< 1, 0, >= Cj 'l^ from definition If Second, definition 6 gives: 



(d + l)-aggij = Yl d-agg,k.Ckj + C,j by def. |6] 

k<^Pred.{j)\{i} 

J2 Ct,.Ckj+C,, hy HR{d) 

kePred.{j)\{i} 

= ^ Cff,.Ckj since Cii =< f, 0,0 > 

kePred.(j) 

= Y, Cf^.Ckj if m i E, Qfc =< 0, 0, f > 

kev 

Overall, HR(d + f ) is proven and induction proves the theorem. D 

From this theorem, we immediately have that in an acyclic graph the matrix 
powers must converge. 

Corollary 1. Let G ~ {V,E,T) be an acyclic trust graph with trust matrix C. 
The matrix powers of C converges to a matrix C^ , where i is the size of the 
longest path in G. 

For the proof of this corollary, we need the following lemma. 

Lemma 3. Let Xi^j he the length of the largest path between i and j. Then 
either Xij = I or Xij = maXkePred.U)\{i}{>^i,k) + 1- 

Proof of corollaryUi We prove the result by induction and consider the hypoth- 
esis HR{d) with d>l: 

yi,j e V, such that A,j < d and Vt > A„-, then C*^ ^ C^--' 

We first prove the hypothesis for d = f : Let i and j be such that the longest 
path between them is of length f. This means that in this acyclic directed 
graph, there is only one path between i and j, the edge i — >■ j. Now from 
definition [el we have that yt,Clj = J2kePred.{])\{t} ^ik^-^kj + Cij. However, 
Pred.ij) \{i} = so that Cfj = dj, for all t. This proves HR{1). 

Now suppose that HR{d) is true. Let i and j be two vertices in G{V, E, T). 
We have two cases. First case: Xij < d. Then X.^j < d + 1 and from the 
induction hypothesis, we have that C*- — C^^^Vt > Xij. Therefore HR{d+ 1) 
is true for i and j. Second case: Xij = d + 1 > 2. Then we have Vu > 
(jd+i+u ^ J2k€Pred.(i) ^tk^'-'^kj- Now, from lemmalsl the maximum length of 



''ij Z-^k^Pred.{j) 

any path between i and a predecessor of j is Xij — t~'= d. Therefore, from the 
induction hypothesis, we have that Cf,^^ = C^^*' = Cfj. for all k £ Pred.{j). 
Then Cf/i+" = Y.kePred.U) Cfk-Ckj = Cf+^ which proves the induction and 
thus the corollary. D 



From the latter corollary, we now have an algorithm to compute the trust 
evaluation between all the nodes in an acyclic trust network: perform the trust 
matrix powering with the monoids laws up to the longest path in the graph. 

Theorem 2. Let (Cij) be the trust matrix corresponding to an acyclic graph 
with n vertices and (p edges whose longest path is of size i. The complexity of 
the evaluation of the aggregated trust between all entity pairs represented by this 
trust matrix is bounded by 0{n ■ ip ■ £) operations. 

Proof. C is sparse with ip non zero element. Thus multiplying C by a vector 
requires 0{if) operations and computing C x C requires O^nip) operations. 
Then, theorem [I] shows that C^ for j > ^ is the j-aggregated trust between any 
entity pair. Finally, corollary [l] shows that C^ = C^ as soon as j > L D 



3.3 Evaluation of trust in the presence of cycles 

In the presence of cycles in a network, the matrix powers algorithm reevaluates 
indefinitely the trust degrees between the nodes in a cycle. This implies that 
the algorithm will converge finally to the maximal trust degree 1. 
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Figure 3: 



Graph with one cycle and its trust matrix C with C^, C^, C^ and 



Consider the graph of figure l3J with a, 6, c, d the trust degrees correspond- 
ing to the links 1 — > 2 — )■ 3 — >■ 4 — )■ 2. Its trust matrix C and applications 
of the matrix powers algorithm on this matrix are shown on figure |3] For in- 



stance, the value Qg = + Cf 2^2,3 + = (Ci,2 + 01^0^^2)0: 



2,3 



{Ci 



(Ci^,3C3,4)C4.2)C2,3 = (Ci,2 + (Ci,2C2,3)C3.4)C4,2)C2,3 = (« + a.b.c.d).h, Corre- 
sponds to the aggregation on the paths 1 — >■ 2 — > 3 and 1— >2— >3— >-4— >-2— >-3 
linking 1 to 3. If we continue iterations for n > 5, wc find that the algorithm 
re-evaluates the trust on the loop 3 ^> 4 ^ 2 — > 3 infinitely. 



To solve this issue, we propose to change the matrix multipUcation pro- 
cedure, so that each path will be used only once in the assessment of a trust 
relationship. For this, we use a memory matrix Rij. This stores, for each pair 
of nodes, all edges traversed to evaluate their trust degree. Only the paths con- 
taining an edge not already traversed to evaluate the trust degree are taken into 
account at the novel iteration. Therefore, the computation of Cf^ for n > 1, 
becomes: 

Algorithm 2 Matrix powers for generic network graphs 

Input An n X n matrix of trust C of a generic directed trust graph. 

Output Global trust in the network. 



1 


i = 2; 


2 


Repeat 


3 


For all {i ^ j) e [l..n]2 do 


4 


Cf^. =< 0,0,1 >;i?f^.=0; 


5 


For fc = 1 to n do 


6 


* = C^k^■'^kj■, 


7 


If {t^< 0,0,1 >) then 


8 


cl,+ = t- 


9 


Rfj = Rlj U R^ik^ U(^ ^ i); // using a sorted set union 


10 


End If 


11 


End For 


12 


If (#i?^ C #i?^i) then C^ = C^r^M, = R-j'; End If 


13 


End For 


14 


Until C^ == C^-i; ++t, 


15 


return C^; 



Theorem 3. Let C he the trust matrix corresponding to a generic trust graph. 
Algorithm \^ converges to the matrix C^ where i is the longest acyclic path 
between vertices. 

Proof. Let C^ be the evaluation of the ^-aggregated trust between all entity 
pairs after £ iterations where i is the longest acyclic path between vertices. At 
this stage, for each pair i,j, all the edges belonging to a path between i and j 
will be marked in Rjj. Therefore, no new t = C^f..Ckj will be added to C^t^- 
Conversely, at iteration x < £, if there exist an acyclic path between a pair i,j of 
length greater than x, then it means that there exists at least one edge e not yet 
considered on a sub-path from, say, u to u, of length x: i --^ u --->-^---> v --^ j. 
Then R^^ will be different from R^~^ and so will be C„„ from C^^^. D 

Theorem 4. Let C he the trust matrix corresponding to a generic trust graph 
with n vertices and (p edges whose longest path between vertices is of size £. The 
complexity of the global evaluation of all the paths between any entity is bounded 
by 0{n^ ' f ' ^) operations. 



10 



Proof. Using algorithm [2J we see that the triple loop induces n^ monoid opera- 
tions and n^ merge of the sorted sets of edges. A merge of sorted sets is linear 
in the number of edges, tp. Then the overall iteration is performed at most i 
times from theorem |3l D 

By applying the new algorithm on the example of figure [3] we still obtain 
Cf 3 = (a + a.b.c.d).b, but now R^ ^ — {a, 5, c, d} and thus no more contribution 
can be added to C^"^'. 

A first naive dense implementation of this algorithm took less than 4 seconds 
to perform the first iteration (C^) on the graph of section p] with 1000 vertices 
and 250A; edges. 

3.4 Bounded evaluation of trust 

In practice, the evaluation of trust between two nodes A and B need not consider 
all trust paths connecting ^ to i? for two reasons: 

• First, the mitigation is one of the trust properties, i.e. the trust through- 
out trust paths decreases with the length of the latter. Therefore after 
a certain length L, the trust on paths becomes weak and thus should 
have a low contribution in improving the trust degree after their parallel 
aggregation. 



• 



Second, if at some iteration n > 1, we already obtained a high trust degree, 
then contributions of other paths will only be minor. 



Therefore, it is possible to use the matrix powers algorithm with less iterations 
and e.g. a threshold for the trust degree, in order to compute fast a good 
approximation of the trust in a network. 

4 Distributed Trust and Reputation for public 
key architectures 

The reputation can be defined as in [13": "a peer's belief in another peer's 
capabilities, honesty and reliability based on the other peers recommendations." 
Currently, the reputation is implemented in several areas: e-commerce , mailing 
(combating spams), search engines (Pages classification), P2P networks, .... 
Reputation can for instance be used to help peers distinguish good from bad 
partners. 

However, the notions of trust and reputation are usually treated separately. 
Yet these two concepts are complementary are both necessary for a better quan- 
tification of the credibility of an entity. 

On the one hand, it is necessary to have at least one trust path between 
two entities to evaluate their trust degree. This cannot always be guaranteed 
in large networks. There, the reputation can give a significant indication that 
will allow users to take the decision to communicate (or not) with other peers. 
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On the other hand, a low degree of reputation cannot be conclusive on the 
credibility of an entity. Indeed, reputation depends on the number of incoming 
trust relationships and this may discriminate the least "popular" entities. In 
this case, the trust degree is more significant. 

There exist several reputation evaluation systems like e.g. EigenTrust [TU] . 
inspired from Google's PageRank [TT] or the Spreading Activation Model for 
trust propagation [^, etc. An important advantage of reputation systems is 
their performance. They are fast compared to the binary trust evaluation on a 
network, usually in time quadratic in the size of the network. 

In the following, we propose a model combining the trust and the reputation 
concepts, for an efficient evaluation of trust in PKI architectures, i.e. with 
complexity cubic in the size of the network. 

The first question is between a centralized and a distributed model of eval- 
uation. To implement a centralized trust management model, we would need 
a new "trusted authority" (TA) which would assess trust in all PKI architec- 
tures. This is somewhat the case e.g. in the DNSsec specifications. Its role 
here would be to retrieve the trust degrees expressed by all CAs and to evaluate 
the trust and reputation degrees in the network. But then TA would need to 
have a global vision of the network and to estimate with high accuracy the trust 
degrees between entities. 

Moreover, the reliability of this centralized model is based entirely on the 
reliability of the TA. This might not be applicable to very large network like 
internet but more suited to small "local" communities of CAs. 

Another approach is to use a distributed management model, where the 
entities must contact others to share some trust degrees. This will enable each 
entity to evaluate the trust in its neighborhood. On the one hand, this can be 
applied to large networks, while preserving for each entity a low computational 
cost. On the other hand, each entity might have only a limited view of the 
whole network. 

Now, in this setting it is also possible to distribute even the computation 
of the trust matrix: each entity would be responsible of the computation of a 
sub-matrix of the global network. Then the entity could receive some other 
(potentially overlapping) sub-matrices, signed by trusted entities. These trust 
degrees could be expressed in the certificates, even as a shared secret [2 . 

Our model can be applied to any PKI system (like cross- certified PKIs or the 
PGP web of trust), which consists in a number of entities with certificates/keys, 
and in which any entity may sign other entities' certificates/keys. 

This cross-certification/key-signature supposes at least the verification of 
a policy along the certification path from the signatory to the owner of the 
signed certificate. Thus, each entity may express its trust degrees in the certifi- 
cates/keys it has to create/sign. 

Now, due to the difficulty of expressing precisely a trust degree a first 
rating could use a scale from to 10 to normalize the triplet (trust, dis- 
trust, uncertainty). As shown for example on figure HI one can evaluate a 
trust degree to 6/10, usually a smaller value for the known false emissions of 
the trustee (often 0/10 or here 1/10) and then the uncertainty is deduced as 
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1 — trust — distrust — 3/10. 

Trust Distrust Uncertainty 



h 



Figure 4: Example of a scale of trust 



4.0.1 Cross-certified PKI architectures 

In the case of cross-certified PKI architectures, the CAs play the main role. In 
the context of this article, we assume that the relations [CA — >■ users] are based 
on complete trust. In this case, only the inter-CAs relationships are evaluated. 
Each CA creates an initial trust matrix from its certificate store and saves it 
locally. This matrix corresponds to the sub-graph of the CAs neighborhood. A 
network discovery mechanism should then be established to expand the trust 
sub-graph and to have a broader view on the network. Then the CA evaluates 
the trust and reputation using the matrix powers algorithm of section |3] and a 
reputation evaluation scheme. Then it can also decide to forward some of this 
information to its users, via e.g. its SCVP services (Server-based Certificate 
Validation Protocol), in response to their certificate validation requests. 

4.0.2 PGP Web Of Trust 

In the case of PGP networks, the same rating system could replace the ac- 
tual system (full trust, marginally trusted, no trust). This will allow to assess 
more precisely the trust degrees between users. Each user creates its own trust 
matrix, which will be initialized from certificates (public keys) in the key-ring. 
A network discovery mechanism could also be established to expand the local 
network of trust. Finally, trust and reputation are assessed through the trust 
matrix. 

For instance, the PGP client settings: COMPLETS.NEEDED, MARGINALS.NEED- 
ED which are used to compute the required number of signatures generated 
by keys with full or marginal trust could be replaced by: MINIM AL^TRUST 
and MINIMAL.REPUTATION, representing the trust and reputation degrees 
needed to validate a public key. The values of these parameters will depend of 
course on the used trust propagation system and personal policies. 

5 Conclusion 

The actual public-key infrastructure models assume that the relationships be- 
tween the PKI entities are based on an absolute trust. However, several risks 
when using PKI procedures are related to these assumptions. In this article we 
introduce a simple distributed trust model in order to quantify and manage the 
trust in cross- certified PKIs and in the PGP web of trust. We use the formal 
semantics based calculus of trust introduced by [71 [S] and apply it to the PKIs. 
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We have reduced the evaluation of trust between entities of a DAG network 
to linear algebra. This gives a polynomial algorithm to asses the global trust 
evaluation in a network. Moreover, depending on the sparsity of the considered 
graphs this enables to use adapted linear algebra methods. Also the linear alge- 
bra algorithm decomposes the evaluation into converging iterations which could 
be stopped before exact converge in order to get a good approximation faster. 
Finally this enabled us also to generalize the trust evaluation to any directed 
graph, still with a polynomial complexity. 

Overall, our model combines the reputation and the trust notions to give a 
precise indication about the credibility of the PKI entities. 

Further improvement includes a dedicated Network Discovery Mechanism, 
used to expand the trust sub-graph and to guaranty the safety in the trust 
model. 

Also the trust degrees could be a sensitive information. Therefore, the join 
use of trust matrices and homomorphic cryptosystems enabling a private com- 
putation of shared secret would be useful. 
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